[selinux-policy/f17] - Allow virsh to stream connect to virtd - Add support for $HOME/.cache/libvirt - Allow groupadd_t t
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Aug 28 11:38:38 UTC 2012
commit a29f344e2be13b1fe3479ca70fd4d2f1746c3f2f
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Aug 28 13:38:01 2012 +0200
- Allow virsh to stream connect to virtd
- Add support for $HOME/.cache/libvirt
- Allow groupadd_t to search default_context
- Allow xdm_t to search dirs with xdm_unconfined_exec_t lab
- Allow ksysguardproces to read/write config_usr_t
- Backport passenger policy from F18
- Allow wdmd to create wdmd_tmpfs_t
policy-F16.patch | 247 +++++++++++++++++++++++++++++++++++---------------
selinux-policy.spec | 11 ++-
2 files changed, 183 insertions(+), 75 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 85173fc..c52e079 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -65095,24 +65095,23 @@ index e0791b9..98d188e 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.fc b/policy/modules/admin/passenger.fc
-index 545518d..fa3b27f 100644
+index 545518d..7d5bf4c 100644
--- a/policy/modules/admin/passenger.fc
+++ b/policy/modules/admin/passenger.fc
-@@ -3,6 +3,12 @@
+@@ -3,6 +3,11 @@
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
-+
++/usr/share/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/share/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..95efca0 100644
+index f68b573..8fb9cd3 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
@@ -65140,7 +65139,7 @@ index f68b573..95efca0 100644
########################################
## <summary>
## Read passenger lib files
-@@ -37,3 +55,64 @@ interface(`passenger_read_lib_files',`
+@@ -37,3 +55,84 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
@@ -65205,16 +65204,30 @@ index f68b573..95efca0 100644
+
+ allow $1 passenger_t:unix_stream_socket connectto;
+')
++
++#######################################
++## <summary>
++## Allow to manage passenger tmp files/dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`passenger_manage_tmp_files',`
++ gen_require(`
++ type passenger_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
++ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
++')
diff --git a/policy/modules/admin/passenger.te b/policy/modules/admin/passenger.te
-index 3470036..e4180ee 100644
+index 3470036..bf7e806 100644
--- a/policy/modules/admin/passenger.te
+++ b/policy/modules/admin/passenger.te
-@@ -1,4 +1,4 @@
--policy_module(passanger, 1.0.0)
-+policy_module(passenger, 1.0.0)
-
- ########################################
- #
@@ -28,7 +28,7 @@ files_pid_file(passenger_var_run_t)
# passanger local policy
#
@@ -65224,22 +65237,31 @@ index 3470036..e4180ee 100644
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -49,11 +49,16 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+#needed by puppet
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
-+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir })
++manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
++files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
+
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
-@@ -64,9 +69,12 @@ corecmd_exec_shell(passenger_t)
+ corenet_all_recvfrom_netlabel(passenger_t)
+-corenet_all_recvfrom_unlabeled(passenger_t)
+ corenet_tcp_sendrecv_generic_if(passenger_t)
+ corenet_tcp_sendrecv_generic_node(passenger_t)
+ corenet_tcp_connect_http_port(passenger_t)
+@@ -63,10 +68,14 @@ corecmd_exec_shell(passenger_t)
+
dev_read_urand(passenger_t)
- files_read_etc_files(passenger_t)
+-files_read_etc_files(passenger_t)
++domain_read_all_domains_state(passenger_t)
++
+files_read_usr_files(passenger_t)
auth_use_nsswitch(passenger_t)
@@ -65249,16 +65271,30 @@ index 3470036..e4180ee 100644
miscfiles_read_localization(passenger_t)
userdom_dontaudit_use_user_terminals(passenger_t)
-@@ -75,3 +83,9 @@ optional_policy(`
+@@ -75,3 +84,23 @@ optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
')
+
+optional_policy(`
++ hostname_exec(passenger_t)
++')
++
++optional_policy(`
++ mta_send_mail(passenger_t)
++')
++
++optional_policy(`
+ puppet_manage_lib(passenger_t)
-+ puppet_search_log(passenger_t)
++ puppet_read_config(passenger_t)
++ puppet_read_log(passenger_t)
+ puppet_search_pid(passenger_t)
+')
++
++optional_policy(`
++ rpm_exec(passenger_t)
++ rpm_read_db(passenger_t)
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -67585,7 +67621,7 @@ index 81fb26f..66cf96c 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..2a700a2 100644
+index 441cf22..39992a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -67661,9 +67697,11 @@ index 441cf22..2a700a2 100644
########################################
#
# Crack local policy
-@@ -194,8 +209,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -193,9 +208,10 @@ selinux_compute_access_vector(groupadd_t)
+ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
++seutil_search_default_contexts(groupadd_t)
-term_use_all_ttys(groupadd_t)
-term_use_all_ptys(groupadd_t)
@@ -67672,7 +67710,7 @@ index 441cf22..2a700a2 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -203,8 +218,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +219,8 @@ init_dontaudit_write_utmp(groupadd_t)
domain_use_interactive_fds(groupadd_t)
@@ -67682,7 +67720,7 @@ index 441cf22..2a700a2 100644
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
-@@ -219,9 +234,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +235,10 @@ miscfiles_read_localization(groupadd_t)
auth_domtrans_chk_passwd(groupadd_t)
auth_rw_lastlog(groupadd_t)
auth_use_nsswitch(groupadd_t)
@@ -67694,7 +67732,7 @@ index 441cf22..2a700a2 100644
auth_relabel_shadow(groupadd_t)
auth_etc_filetrans_shadow(groupadd_t)
-@@ -269,6 +285,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +286,7 @@ allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive };
@@ -67702,7 +67740,7 @@ index 441cf22..2a700a2 100644
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +294,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +295,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -67710,7 +67748,7 @@ index 441cf22..2a700a2 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +309,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +310,30 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -67746,7 +67784,7 @@ index 441cf22..2a700a2 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +345,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +346,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -67755,7 +67793,7 @@ index 441cf22..2a700a2 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +354,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +355,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -67763,7 +67801,7 @@ index 441cf22..2a700a2 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,9 +404,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +405,10 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -67776,7 +67814,7 @@ index 441cf22..2a700a2 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +420,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +421,6 @@ files_read_usr_files(sysadm_passwd_t)
domain_use_interactive_fds(sysadm_passwd_t)
@@ -67784,7 +67822,7 @@ index 441cf22..2a700a2 100644
files_relabel_etc_files(sysadm_passwd_t)
files_read_etc_runtime_files(sysadm_passwd_t)
# for nscd lookups
-@@ -426,7 +449,8 @@ optional_policy(`
+@@ -426,7 +450,8 @@ optional_policy(`
# Useradd local policy
#
@@ -67794,7 +67832,7 @@ index 441cf22..2a700a2 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,29 +472,31 @@ corecmd_exec_shell(useradd_t)
+@@ -448,29 +473,31 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -67836,7 +67874,7 @@ index 441cf22..2a700a2 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -478,6 +504,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +505,7 @@ auth_rw_faillog(useradd_t)
auth_use_nsswitch(useradd_t)
# these may be unnecessary due to the above
# domtrans_chk_passwd() call.
@@ -67844,7 +67882,7 @@ index 441cf22..2a700a2 100644
auth_manage_shadow(useradd_t)
auth_relabel_shadow(useradd_t)
auth_etc_filetrans_shadow(useradd_t)
-@@ -490,29 +517,31 @@ logging_send_syslog_msg(useradd_t)
+@@ -490,29 +518,31 @@ logging_send_syslog_msg(useradd_t)
miscfiles_read_localization(useradd_t)
@@ -70321,7 +70359,7 @@ index f5afe78..e283f63 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..6e75a73 100644
+index 2505654..6eafbbc 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.1.0)
@@ -70394,7 +70432,7 @@ index 2505654..6e75a73 100644
##############################
#
# Local Policy
-@@ -75,3 +118,157 @@ optional_policy(`
+@@ -75,3 +118,159 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -70448,6 +70486,8 @@ index 2505654..6e75a73 100644
+allow gnomesystemmm_t self:capability sys_nice;
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
++rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
++
+kernel_read_system_state(gnomesystemmm_t)
+
+corecmd_search_bin(gnomesystemmm_t)
@@ -92127,7 +92167,7 @@ index 6480167..c453e35 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..1af488c 100644
+index 3136c6a..3c68940 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,268 @@ policy_module(apache, 2.2.1)
@@ -92943,7 +92983,7 @@ index 3136c6a..1af488c 100644
')
optional_policy(`
-@@ -577,6 +920,33 @@ optional_policy(`
+@@ -577,6 +920,34 @@ optional_policy(`
')
optional_policy(`
@@ -92962,6 +93002,7 @@ index 3136c6a..1af488c 100644
+ passenger_manage_pid_content(httpd_t)
+ passenger_read_lib_files(httpd_t)
+ passenger_stream_connect(httpd_t)
++ passenger_manage_tmp_files(httpd_t)
+ ')
+')
+
@@ -92977,7 +93018,7 @@ index 3136c6a..1af488c 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +961,11 @@ optional_policy(`
+@@ -591,6 +962,11 @@ optional_policy(`
')
optional_policy(`
@@ -92989,7 +93030,7 @@ index 3136c6a..1af488c 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +978,12 @@ optional_policy(`
+@@ -603,6 +979,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -93002,7 +93043,7 @@ index 3136c6a..1af488c 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +997,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +998,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -93015,7 +93056,7 @@ index 3136c6a..1af488c 100644
########################################
#
-@@ -654,28 +1039,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1040,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -93059,7 +93100,7 @@ index 3136c6a..1af488c 100644
')
########################################
-@@ -685,6 +1072,8 @@ optional_policy(`
+@@ -685,6 +1073,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -93068,7 +93109,7 @@ index 3136c6a..1af488c 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1088,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1089,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -93094,7 +93135,7 @@ index 3136c6a..1af488c 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1134,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1135,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -93127,7 +93168,7 @@ index 3136c6a..1af488c 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1181,25 @@ optional_policy(`
+@@ -769,6 +1182,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -93153,7 +93194,7 @@ index 3136c6a..1af488c 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1220,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1221,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -93171,7 +93212,7 @@ index 3136c6a..1af488c 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1239,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1240,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -93228,7 +93269,7 @@ index 3136c6a..1af488c 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1290,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1291,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -93269,7 +93310,7 @@ index 3136c6a..1af488c 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1335,20 @@ optional_policy(`
+@@ -842,10 +1336,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -93290,7 +93331,7 @@ index 3136c6a..1af488c 100644
')
########################################
-@@ -891,11 +1394,146 @@ optional_policy(`
+@@ -891,11 +1395,146 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -126744,7 +126785,7 @@ index 2f1e529..8c0b242 100644
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..58bb459 100644
+index 2855a44..8b481cb 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
@@ -126801,7 +126842,7 @@ index 2855a44..58bb459 100644
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
-@@ -21,11 +68,87 @@
+@@ -21,11 +68,126 @@
## </summary>
## </param>
#
@@ -126875,6 +126916,45 @@ index 2855a44..58bb459 100644
+
+#####################################
+## <summary>
++## Allow the specified domain to read puppet's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_read_log',`
++ gen_require(`
++ type puppet_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, puppet_log_t, puppet_log_t)
++')
++
++####################################
++## <summary>
++## Allow the specified domain to read puppet's config files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`puppet_read_config',`
++ gen_require(`
++ type puppet_etc_t;
++ ')
++
++ logging_search_logs($1)
++ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
++ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
++')
++
++#####################################
++## <summary>
+## Allow the specified domain to search puppet's pid files.
+## </summary>
+## <param name="domain">
@@ -139489,20 +139569,27 @@ index 32a3c13..803eea6 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..5072bd7 100644
+index 2124b6a..674d931 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
-@@ -1,5 +1,7 @@
+@@ -1,6 +1,14 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
-+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
-+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
-+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
++HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
++HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +14,49 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+ /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+@@ -12,18 +20,49 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -139556,7 +139643,7 @@ index 2124b6a..5072bd7 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..6fc6ad4 100644
+index 7c5d8d8..aafa852 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -140002,7 +140089,7 @@ index 7c5d8d8..6fc6ad4 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +689,248 @@ interface(`virt_admin',`
+@@ -515,4 +689,249 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -140172,6 +140259,7 @@ index 7c5d8d8..6fc6ad4 100644
+
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
+')
+
+########################################
@@ -140252,7 +140340,7 @@ index 7c5d8d8..6fc6ad4 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..d66c99b 100644
+index 3eca020..c747758 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,60 +1,91 @@
@@ -140865,7 +140953,7 @@ index 3eca020..d66c99b 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +666,435 @@ files_search_all(virt_domain)
+@@ -440,25 +666,438 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -140873,12 +140961,12 @@ index 3eca020..d66c99b 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -140929,6 +141017,9 @@ index 3eca020..d66c99b 100644
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
++allow virsh_t virt_etc_t:file read_file_perms;
++virt_stream_connect(virsh_t)
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
@@ -141530,10 +141621,10 @@ index 0000000..8e3570d
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..df9a759
+index 0000000..8edffaa
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,53 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -141551,6 +141642,9 @@ index 0000000..df9a759
+type wdmd_initrc_exec_t;
+init_script_file(wdmd_initrc_exec_t)
+
++type wdmd_tmpfs_t;
++files_tmpfs_file(wdmd_tmpfs_t)
++
+########################################
+#
+# wdmd local policy
@@ -141566,6 +141660,10 @@ index 0000000..df9a759
+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
+
++manage_dirs_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
++manage_files_pattern(wdmd_t, wdmd_tmpfs_t, wdmd_tmpfs_t)
++fs_tmpfs_filetrans(wdmd_t, wdmd_tmpfs_t, { dir file })
++
+dev_read_watchdog(wdmd_t)
+dev_write_watchdog(wdmd_t)
+
@@ -143059,7 +143157,7 @@ index 130ced9..3024c40 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..3b5b571 100644
+index 143c893..cec8e1b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -144167,7 +144265,7 @@ index 143c893..3b5b571 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1368,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1368,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -144215,6 +144313,7 @@ index 143c893..3b5b571 100644
+ unconfined_getpgid(xserver_t)
+')
+
++allow xdm_t xdm_unconfined_exec_t:dir search_dir_perms;
+can_exec(xdm_t, xdm_unconfined_exec_t)
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e394d8f..31a9230 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 147%{?dist}
+Release: 148%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 28 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-148
+- Allow virsh to stream connect to virtd
+- Add support for $HOME/.cache/libvirt
+- Allow groupadd_t to search default_context
+- Allow xdm_t to search dirs with xdm_unconfined_exec_t label
+- Allow ksysguardproces to read/write config_usr_t
+- Backport passenger policy from F18
+- Allow wdmd to create wdmd_tmpfs_t
+
* Thu Aug 23 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-147
- Fix passenger labeling
- Add thumb_tmpfs_t files type
More information about the scm-commits
mailing list